论文信息 - A Business Goal Driven Approach for Understanding and Specifying Information Security Requirements

A Business Goal Driven Approach for Understanding and Specifying Information Security Requirements

In this paper we present an approach for specifying and prioritizing information security requirements in organizations. It is important to prioritize security requirements since hundred per cent security is not achievable and the limited resources available should be directed to satisfy the most important ones. We propose to link explicitly security requirements with the organization’s business vision, i.e. to provide business rationale for security requirements. The rationale is then used as a basis for comparing the importance of different security requirements. A conceptual framework is presented, where the relationships between business vision, critical impact factors and valuable assets (together with their security requirements) are shown.

Pascal van Eck | Damiano Bolzoni | Xiaomeng Su

[1] Donald Firesmith,et al. Common Concepts Underlying Safety, Security, and Survivability Engineering , 2003 .

[2] Frederik D. Wiersema,et al. The Discipline of Market Leaders-Choose your customers , 2015 .

[3] ChungLawrence,et al. From object-oriented to goal-oriented requirements analysis , 1999 .

[4] Ross J. Anderson. Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[5] Eric Yu,et al. Modelling Trust in the i* Strategic Actors Framework , 2000 .

[6] Paul Jones,et al. Secrets and Lies: Digital Security in a Networked World , 2002 .

[7] Marianne Swanson,et al. Security Self-Assessment Guide for Information Technology Systems , 2001 .

[8] Axel van Lamsweerde,et al. Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[9] Steven Furnell. Computer insecurity - risking the system , 2005 .

[10] Andreas L. Opdahl,et al. Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[11] Frederik D. Wiersema,et al. Customer intimacy and other value disciplines , 1993 .

[12] John Mylopoulos,et al. Analyzing security requirements as relationships among strategic actors , 2002 .